ClawHub

AgentGuard

v1.0.0

Monitors agent file access, API calls, and communications to detect suspicious behavior, log events, and generate actionable security reports.

3· 3.2k·26 current·28 all-time
by@manas-io-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The files and SKILL.md implement a file/API/communication monitor, anomaly detector, logger, alerter and reporter — these capabilities align with the implied purpose (security monitoring). However the skill has no public homepage/source and the skill metadata provides no description or provenance, which reduces trustworthiness.
!
Instruction Scope
SKILL.md instructs continuous, broad monitoring of file reads/writes and all external communications (including scanning for credentials). It asserts 'No external data transmission' but the code/config expose channels (telegram, discord, webhook, email) that can dispatch alerts externally when configured. The monitoring covers sensitive paths (e.g. ~/.ssh, .aws, .netrc) which is coherent for a monitor but is high-sensitivity data; the skill's instructions allow wide discretion to collect and log this data.
Install Mechanism
There is no install spec (instruction-only install), so nothing is downloaded or executed automatically by an installer. Code is included in the package, which will create ~/.agentguard and write logs at runtime. No external install URLs or unexpected installers were present.
Credentials
The skill declares no required environment variables (and none are necessary to run locally). However alert dispatching supports external channels and expects configuration (webhook_url, chat IDs, etc.) which if supplied would enable data to leave the host. The SKILL.md does not require any credentials but the effective behavior can be changed by the user-supplied config — this mismatch should be considered.
Persistence & Privilege
The skill does not request force-inclusion (always: false) and does not modify other skills. It writes to a local directory (~/.agentguard) for logs, baselines, alerts and reports which is expected for monitoring software. Running as a separate process (recommended in SKILL.md) is appropriate to limit risk.
What to consider before installing
What to consider before installing AgentGuard: - Provenance: the skill has no homepage/source URL in the metadata. Prefer skills with a public repository, release notes or verified publisher. Ask for the upstream repo or a signed release before trusting it. - External channels: SKILL.md claims "No external data transmission" but the code supports Telegram/Discord/webhook/email alerts. If you enable those channels (or add webhook URLs/chat IDs) sensitive information from logs/alerts can be sent off-host. Only enable external channels you fully control and inspect the alert contents first. - Scope of monitoring: AgentGuard watches broad paths (including ~/.ssh, .aws, .netrc, .env). That is expected for a security monitor but means the tool will see highly sensitive secrets. Only grant it access to directories you intend to monitor, and exclude secret stores if you do not want them monitored. - Run isolation: Follow the SKILL.md suggestion — run AgentGuard in a separate process/container with limited privileges (read-only where possible). That reduces the risk that a compromised agent can disable or tamper with monitoring. - Configuration review: Before enabling automated dispatching, review ~/.agentguard/config.yaml and ensure 'channels' and webhook URLs are set to trusted endpoints. Enable log encryption and retention as needed. - Code review / provenance check: If you cannot verify the upstream repository or author, inspect the included scripts (monitor, logger, detector, alerter, reporter) for unexpected network calls or obfuscated code. The visible code prints and simulates sends rather than performing direct network POSTs, but the presence of dispatch functions means network sending can be enabled by configuration or by future changes. - What would change this assessment: a public, verifiable source repository, signed releases, or a maintainer statement that alerts are only local unless explicit external channels are configured would increase confidence. Conversely, finding hardcoded remote endpoints, obscured network calls, or automatic remote installation would increase severity to malicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dk179bwr48sz0jk62b3jczh80by4j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments